Free Hospital EMR and EHR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to Hospital EMR and EHR for FREE!

Large Health Facilities Have Major Patient Data Security Issues

Posted on July 2, 2014 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

Many healthcare organizations have security holes that leave not only their systems, but their equipment susceptible to cyberattacks, according to two recent studies.

The researchers included Scott Erven, head of information security for multi-state hospital and clinic chain Essentia Health, and Shawn Merdinger, an independent consultant. According to iHealthBeat, the two presented their findings last week at the Shakacon conference.

Erven and his colleagues conducted a two-year study addressing the security of Essentia’s medical equipment. As part of their study they found that hackers could manipulate dosages of drugs provided by drug infusion pumps, deliver random defibrillator shock to patients or prevent medically needed shocks from taking place, and change the temperature settings in refrigerators holding blood and drugs.

The research team also looked for exposed equipment within other healthcare organizations, and the results were appalling. Within only 30 minutes, iHealthBeat notes, they found one healthcare organization which had 68,000 devices that exposed data.  Across all of the health systems they studied, they found 488 exposed cardiology systems, 323 PACS systems, 32 pacemaker systems, 21 anesthesiology systems and and several telemetry systems used to monitor elderly patients and prevent infant abductions.

Both Erven and Merdinger found that the organizations are leaking data because an Internet-connected computer had not been configured securely. Typically, data leaks occurred because sys admins had allowed Server Message Block –a protocol used to help admins find and communicate with computers internally — and allowed it to broadcast information turning private data into publicly-accessible data.

According to Erven, these issues are “global” and impact thousands of healthcare organizations. He suggests that too often, healthcare organizations focus on HIPAA compliance and don’t put enough effort into penetration testing and vulnerability protection.

This should come as no surprise. After all, Proficio’s Takeshi Suganuma notes, HIPAA was developed to protect PHI for a wide range of organizations, and as he puts it, “one size seldom fits all.”  While HIPAA compliance is important, collection, analysis and monitoring of security events are also critical activities for medium- to large-sized organizations, Suganuma suggests.

He also warns that healthcare organizations should be aware that cyberattackers are exploiting not only traditional network vulnerabilities, but also vulnerabilities in printers and medical devices. Networked medical devices are a particularly significant issue, since provider IT teams can’t upgrade the underlying operating system embedded in these devices — and too many of the devices are using older versions of Windows and Linux with known security holes.

The key point Suganuma, Erven and Merdinger are making is that while HIPAA compliance is good, healthcare organizations must pay greater attention to new attack vectors, or they face high odds of security compromise.  Seems like there’s a lot of work (and investment) afoot.

Hospital EHR Device Integration

Posted on January 11, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit.

This week has been pretty crazy for me as I’ve been attending three conferences back to back. Plus, the conference in the middle is the 120,000 person CES (Consumer Electronics Show) in Las Vegas. The healthcare section of CES has been growing like crazy. Those who had 10×10 booths last year now have 20×20 booths and the number of health IT related companies at CES has grown 20%.

As I’ve been browsing these ever growing booths about consumer health I’ve been smothered in various consumer focused devices. I’ve seen every sort of FDA cleared device including: Blood Pressure Cuffs, Scales, Dermascopes, Otoscopes, Pulse Oximeters, Stethoscopes, and Thermometers. The innovation with these devices is amazing. The integration with these devices and other device is amazing. The price point for these devices is dropping.

With all of this in mind, I’ve wondered why more hospitals aren’t taking a larger interest in what’s happening here. Not to mention why more hospital EHR vendors aren’t integrating with these devices as well. Someone asked me what’s the difference in these devices versus the ones that are being used in healthcare today. The obvious answer is price and brand recognition (trust). Although, they are all FDA cleared devices, so is there really a difference in the results? The FDA clearance process is quite rigorous. I don’t have the full answer to this question, so I’d love to hear from some hospital people and other device manufacturers to hear your view on it.

Maybe the answer is that hospitals are buying the big expensive devices because those are the devices that integrate with their hospital EHR system. If that’s the main reason, then we need more of the major hospital EHR vendors to start doing the medical device integration with these low cost alternatives. Imagine the cost savings.

The other side of the coin is hospitals deploying these devices to the patient. I’ve seen this in a few cases where the hospital wants to reduce readmissions. Although, it’s an interesting dance since it is largely under the purview of the primary care doctor. It’s always felt awkward that the hospital’s readmission issues are dependent on a group of doctors that don’t work in the hospital. Maybe this will change as hospitals buy up more doctors offices.

It’s an exciting time to see the devices coming to healthcare. I just wish I saw more hospitals and hospital EHRs involved in what’s happening. I wonder how many healthcare CIOs are seeing what’s happening and planning for it.

I predict 2013 will be the year of the consumer health device and I don’t think most hospitals or doctors are ready for it.

Vendor Offers “Vitals as a Service” Wrapped Around Open Source EMR

Posted on June 1, 2012 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

Folks, I don’t generally write up reports on products, but this one was so interesting I wanted to give you a look-see and let you assess it.

A UK-based manufacturer, Isansys Lifecare Limited, has just introduced a “cloud-based patient digitization and analytic solution for monitoring and predicting the present and future clinical status of patients anytime, anywhere.”  (Whew, try saying that three times fast!)

More specifically, Isansys is introducing a “Patient Status Engine” which integrates data from wireless sensors on the patient’s body into a cloud-based EMR.  The Engine is apparently designed to not only accept data from the sensors, but also to use that data to predict future health events.

The wireless sensors at the heart of the “Vitals as a Service” program are also created by Isansys. Here’s how the company describes them:

The LifeTouch HRV011 sensor performs a key patient digitisation function within the Patient Status Engine, and together with other devices allows healthcare providers to collect five vital signs continuously, wirelessly and in real-time – Heart Rate (HR), Respiration Rate (RR), Blood Pressure (BP), Pulse Oximetry (SpO2), and Temperature (T). The system also analyses the ECG signals to provide the essential data for Heart Rate Variability (HRV) techniques and methods.

The EMR used for the bundled product is provided by Tolven Corp., which has created an open source solution, and the secure server hosting was created in partnership with Fujitsu.

There’s so much going on here that I’m not even sure what to say about this, other than that I love the idea of getting vitals into the EMR without endless checking and note-taking.  My guess is that despite the open-source partnership, this will not be cheap, but that remains to be seen.

In any event, I see this as a great example of several trends — including mobile computing, interoperability of medical devices and remote monitoring — coming together in a useful way. Here’s hoping this product delivers what it promises.

Connecting EMRs and Smart Pumps Proving Difficult

Posted on May 10, 2012 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

As they settle into their implementation, hospitals are hoping to connect key medical devices to their EMRs. But vanishingly few have pulled off connecting one important device, the smart infusion pump, according to recent research by KLAS.

KLAS’s new study surveyed 251 providers from 218 organizations.  Researchers concluded that less than 10 providers in the country are tying smart pumps to their EMRs, despite the fact that most providers see such connections as an important safety measure.  The smart pumps let clinicians know if the pumps aren’t set to match a facility’s guidelines, while standard pumps are programmed by hand.

More than half of providers told KLAS that EMR integration is a key factor in selecting future pumps, the firm says.  And they handed out higher satisfaction ratings to vendors whose technology development is moving along. Smart pump vendors Baxter, Carefusion and Hospira, for example, led in wireless technology.

That hospitals are demanding wireless pumps that connect with EMRs is no big surprise. Far too many — 23 percent — of surveyed provider organizations reported serious medication incidents within the previous 24 months.  Sixty percent of the serious errors were made while using drug libraries.  Clearly, using the libraries is good, but connecting to an EMR with auto-programming could  make a difference.

Given the difference EMR-connected pumps could make, why are so few providers already connected?  Well, one obvious issue is that only 60 percent of providers are live on wireless pump technology, which is necessary to get the integration done.

It’s not just the pump that’s an issue, however. When hospitals roll out this approach, it requires a great deal of coordination between IT, EMR users, clinical analysts and more, notes Kristen O’Shea, clinical transformation officer for WellSpan Health, who spoke with InformationWeek magazine about her organization’s smart-pump rollout.

To make sure the team worked together smoothly with the new device connections, WellSpan created a new hybrid biomedical/IT position to manage medical device connectivity. (Smart move — maybe more would be getting done in the EMR/device connection realm if they did more hiring of this kind?)

Medical Device Makers Still Working To Connect With EMRs

Posted on January 11, 2012 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

Right now, only a small percentage of hospitals are collecting data from medical devices in real time.  That’s partly because hospitals have other technical challenges to handle first (including the development of interfaces between major enterprise systems), and partly because device makers aren’t offering easy connectivity options.

But providers are prodding medical device makers — hard — to offer device-to-EMR links. As medical connectivity consultant Tim Gee notes, it’s kind of a no-brainer at this point. “What’s the use of automating the EMR if users have to write down numbers read from medical device displays and then manually type them into the EMR?” Gee asks, sensibly enough.

Unfortunately for hospital IT managers, the situation hasn’t gotten much better since my colleague Katherine Rourke shared Gee’s impressions last April.

Let’s start with the ugly conclusions. From what Gee says, exporting medical device data to an EMR is a complicated mess, and neither vendors nor hospitals are likely to solve this problem anytime soon.

In theory, the set-up is fairly simple. The device must be capable of exporting data digitally, and be set up to feed into a centralized data aggregation server. The server then must pass the device data through an HL7 interface and push that transformed data to the EMR.

Making that happen is harder than it seems, however. For one thing, using HL7 doesn’t necessarily get the job done, Gee notes. After all, EMR you’ve installed may use HL7 standards in one way, and the device-maker might pick another set of options.  It’s a Tower of Babel situation at that point. There’s kludges to work around HL7 compatibility problems, but they involve a lot of testing and configuration prior to launch.

At present there’s no obvious solution to these problems. You’ll probably want to stay informed on the IHE-PCD (patient care device) project, though.  IHE-PCD creates integration profiles for medical devices, and has already released profiles for 20-odd devices and applications.  IHE-PCD profiles have already been used to pass along data from common devices like infusion pumps, ventilators and anesthesia workstations. Members are creating workflow solutions for problems like alarm management, too.

Also, keep an eye out for big medical device investments and acquisitions by cash-rich EMR vendors. (My bet is that it’ll prove easier for EMR vendors to buy connectivity solutions than create them.) This may make your life easier, as vendors will come to the table with device interfaces which already work.

Of course, using both their devices and EMR may lock you in rather firmly to that vendor, but it may be worth the trouble. Deciding whether it’s worth the risk may be one of the big decision points you face in say, 2013. In the mean time, get prepared. This issue is going to be a pain in the neck for some time to come, it seems.